Fixes #698

Author: oharsta

client/src/tabs/UserRoleAudits.scss

@@ -5,27 +5,27 @@
         thead {
             th {
                 &.userEmail {
-                    width: 20%;
+                    width: 30%;
                 }
 
                 &.roleName {
                     width: 30%;
                 }
 
                 &.action {
-                    width: 12%;
+                    width: 10%;
                 }
 
                 &.authority {
-                    width: 12%;
+                    width: 10%;
                 }
 
                 &.createdAt {
-                    width: 12%;
+                    width: 10%;
                 }
 
                 &.endDate {
-                    width: 12%;
+                    width: 10%;
                 }
 
             }

server/src/main/java/invite/api/SystemController.java

@@ -64,10 +64,10 @@ public SystemController(ResourceCleaner resourceCleaner,
     }
 
     @GetMapping("/cron/cleanup")
-    public ResponseEntity<Map<String, List<? extends Serializable>>> cronCleanup(@Parameter(hidden = true) User user) {
+    public ResponseEntity<Map<String, Object>> cronCleanup(@Parameter(hidden = true) User user) {
         LOG.debug(String.format("/cron/cleanup for user %s", user.getEduPersonPrincipalName()));
         UserPermissions.assertSuperUser(user);
-        Map<String, List<? extends Serializable>> body = resourceCleaner.doClean();
+        Map<String, Object> body = resourceCleaner.doClean();
         return ResponseEntity.ok(body);
     }
 

server/src/main/java/invite/cron/ResourceCleaner.java

@@ -9,6 +9,7 @@
 import invite.provision.ProvisioningService;
 import invite.provision.scim.OperationType;
 import invite.repository.UserRepository;
+import invite.repository.UserRoleAuditRepository;
 import invite.repository.UserRoleRepository;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -32,41 +33,47 @@ public class ResourceCleaner extends AbstractNodeLeader {
     private static final Log LOG = LogFactory.getLog(ResourceCleaner.class);
 
     private final UserRepository userRepository;
+    private final UserRoleAuditRepository userRoleAuditRepository;
     private final ProvisioningService provisioningService;
     private final UserRoleRepository userRoleRepository;
     private final UserRoleAuditService userRoleAuditService;
     private final int lastActivityDurationDays;
+    private final int purgeAuditLogDays;
 
 
     @Autowired
     public ResourceCleaner(UserRepository userRepository,
                            UserRoleRepository userRoleRepository,
                            ProvisioningService provisioningService,
                            DataSource dataSource,
+                           UserRoleAuditRepository userRoleAuditRepository,
                            UserRoleAuditService userRoleAuditService,
-                           @Value("${cron.last-activity-duration-days}") int lastActivityDurationDays) {
+                           @Value("${cron.last-activity-duration-days}") int lastActivityDurationDays,
+                           @Value("${cron.purge-audit-log-days}") int purgeAuditLogDays) {
         super(LOCK_NAME, dataSource);
         this.userRepository = userRepository;
         this.userRoleRepository = userRoleRepository;
+        this.userRoleAuditRepository = userRoleAuditRepository;
         this.userRoleAuditService = userRoleAuditService;
         this.lastActivityDurationDays = lastActivityDurationDays;
         this.provisioningService = provisioningService;
-    }
+        this.purgeAuditLogDays = purgeAuditLogDays;    }
 
     @Scheduled(cron = "${cron.user-cleaner-expression}")
     @Transactional
     public void clean() {
         super.perform("ResourceCleaner#clean", this::doClean);
     }
 
-    public Map<String, List<? extends Serializable>> doClean() {
+    public Map<String, Object> doClean() {
         List<User> users = cleanNonActiveUsers();
         List<User> orphans = cleanOrphanedUser();
         List<UserRole> userRoles = cleanUserRoles();
         return Map.of(
                 "DeletedNonActiveUsers", users,
                 "DeletedOrphanUsers", orphans,
-                "DeletedExpiredUserRoles", userRoles
+                "DeletedExpiredUserRoles", userRoles,
+                "DeletedUserRoleAudits", cleanUserRoleAudit()
         );
     }
 
@@ -117,4 +124,9 @@ private List<UserRole> cleanUserRoles() {
         return userRoles;
     }
 
+    private int cleanUserRoleAudit() {
+        Instant past = Instant.now().minus(Period.ofDays(purgeAuditLogDays));
+        return userRoleAuditRepository.deleteByCreatedAtBefore(past);
+    }
+
 }

server/src/main/java/invite/model/UserRoleAudit.java

@@ -62,14 +62,14 @@ public UserRoleAudit(ActionType action, UserRole userRole, String createdBy) {
         this.createdBy = createdBy;
     }
 
-    public UserRoleAudit(Role role, User user) {
+    public UserRoleAudit(Role role, User user, Instant createdAt) {
         this.roleId = role.getId();
         this.roleName = role.getName();
         this.userId = user.getId();
         this.userEmail = user.getEmail();
         this.action = ActionType.ADD;
         this.authority = Authority.GUEST;
-        this.createdAt = Instant.now();
+        this.createdAt = createdAt;
         this.createdBy = "test";
     }
 

server/src/main/java/invite/repository/UserRoleAuditRepository.java

@@ -4,10 +4,12 @@
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Modifying;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.query.Param;
 import org.springframework.stereotype.Repository;
 
+import java.time.Instant;
 import java.util.List;
 
 @Repository
@@ -38,4 +40,6 @@ Page<UserRoleAudit> findAllByEmailLikeAndRoleIdIn(@Param("email") String email,
             countQuery = "SELECT COUNT(u) FROM user_roles_audit u WHERE u.roleId IN :roleIds"
     )
     Page<UserRoleAudit> findAllByRoleIdIn(@Param("roleIds") List<Long> roleIds, Pageable pageable);
+
+    int deleteByCreatedAtBefore(Instant cutoff);
 }

server/src/main/resources/application.yml

@@ -78,7 +78,6 @@ crypto:
   private-key-location: classpath:/private_key_pkcs8.pem
 
 cron:
-  node-cron-job-responsible: true
   user-cleaner-expression: "0 0/30 * * * *"
   last-activity-duration-days: 1000
   role-expiration-notifier-expression: "0 0/30 * * * *"
@@ -87,6 +86,8 @@ cron:
   metadata-resolver-initial-delay-milliseconds: 1
   metadata-resolver-fixed-rate-milliseconds: 86_400_000
   metadata-resolver-url: "classpath:/metadata/idps-metadata.xml"
+  # A value of 0 means no logs will be deleted
+  purge-audit-log-days: 365
 
 myconext:
   uri: "https://login.test2.eduid.nl/myconext/api/invite/provision-eduid"

server/src/test/java/invite/AbstractTest.java

@@ -1,15 +1,5 @@
 package invite;
 
-import invite.config.HashGenerator;
-import invite.crm.CRMContact;
-import invite.crm.CRMOrganisation;
-import invite.crm.CRMRole;
-import invite.eduid.EduIDProvision;
-import invite.manage.EntityType;
-import invite.manage.LocalManage;
-import invite.model.*;
-import invite.provision.scim.GroupURN;
-import invite.repository.*;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -23,6 +13,39 @@
 import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
+import invite.config.HashGenerator;
+import invite.crm.CRMContact;
+import invite.crm.CRMOrganisation;
+import invite.crm.CRMRole;
+import invite.eduid.EduIDProvision;
+import invite.manage.EntityType;
+import invite.manage.LocalManage;
+import invite.model.APIToken;
+import invite.model.Application;
+import invite.model.ApplicationUsage;
+import invite.model.Authority;
+import invite.model.Invitation;
+import invite.model.InvitationRole;
+import invite.model.Language;
+import invite.model.Organisation;
+import invite.model.RemoteProvisionedUser;
+import invite.model.RequestedAuthnContext;
+import invite.model.Role;
+import invite.model.User;
+import invite.model.UserRole;
+import invite.model.UserRoleAudit;
+import invite.provision.scim.GroupURN;
+import invite.repository.APITokenRepository;
+import invite.repository.ApplicationRepository;
+import invite.repository.ApplicationUsageRepository;
+import invite.repository.InvitationRepository;
+import invite.repository.OrganisationRepository;
+import invite.repository.RemoteProvisionedGroupRepository;
+import invite.repository.RemoteProvisionedUserRepository;
+import invite.repository.RoleRepository;
+import invite.repository.UserRepository;
+import invite.repository.UserRoleAuditRepository;
+import invite.repository.UserRoleRepository;
 import io.restassured.RestAssured;
 import io.restassured.common.mapper.TypeRef;
 import io.restassured.config.ObjectMapperConfig;
@@ -54,14 +77,27 @@
 import java.io.IOException;
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
-import java.security.*;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Security;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
 import java.text.SimpleDateFormat;
 import java.time.Clock;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.UUID;
 import java.util.function.Consumer;
 import java.util.function.UnaryOperator;
 import java.util.stream.Collectors;
@@ -142,6 +178,9 @@ public abstract class AbstractTest {
     @Autowired
     protected InvitationRepository invitationRepository;
 
+    @Autowired
+    protected UserRoleAuditRepository userRoleAuditRepository;
+
     @Autowired
     protected RemoteProvisionedGroupRepository remoteProvisionedGroupRepository;
 
@@ -639,7 +678,7 @@ private void doSeed() {
         institutionAdmin.setOrganizationGUID(ORGANISATION_GUID);
 
         Organisation organisation = new Organisation(
-                CRM_ORGANIZATION_ID,"SURF","SURF"
+                CRM_ORGANIZATION_ID, "SURF", "SURF"
         );
         doSave(organisationRepository, organisation);
 
@@ -774,6 +813,26 @@ private void doSeed() {
         doSave(apiTokenRepository, apiToken, superUserApiToken, legacyApiToken, userApiToken);
     }
 
+    protected void seedUserRoleAudits(Instant createdAt) {
+        this.userRoleAuditRepository.deleteAllInBatch();
+        Role network = this.roleRepository.findByName("Network").get();
+        Role research = this.roleRepository.findByName("Research").get();
+        Role mail = this.roleRepository.findByName("Mail").get();
+
+        //paul.doe@example.com
+        User inviter = this.userRepository.findBySubIgnoreCase(INVITER_SUB).get();
+        //ann.doe@example.com
+        User guest = this.userRepository.findBySubIgnoreCase(GUEST_SUB).get();
+        Instant now = Instant.now();
+        UserRoleAudit auditNetworkInviter = new UserRoleAudit(network, inviter, now);
+        UserRoleAudit auditResearchInviter = new UserRoleAudit(research, inviter, now);
+        UserRoleAudit auditResearchGuest = new UserRoleAudit(research, guest, now);
+        UserRoleAudit auditMailGuest = new UserRoleAudit(mail, guest, now);
+
+        doSave(userRoleAuditRepository, auditNetworkInviter, auditResearchInviter, auditResearchGuest, auditMailGuest);
+    }
+
+
     @SafeVarargs
     protected final <M> void doSave(JpaRepository<M, Long> repository, M... entities) {
         repository.saveAll(Arrays.asList(entities));

server/src/test/java/invite/api/UserRoleAuditControllerTest.java

@@ -3,6 +3,7 @@
 import invite.AbstractTest;
 import invite.AccessCookieFilter;
 import invite.DefaultPage;
+import invite.cron.ResourceCleaner;
 import invite.model.Role;
 import invite.model.User;
 import invite.model.UserRoleAudit;
@@ -14,6 +15,8 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.List;
 import java.util.Map;
 
@@ -22,13 +25,10 @@
 
 class UserRoleAuditControllerTest extends AbstractTest {
 
-    @Autowired
-    protected UserRoleAuditRepository userRoleAuditRepository;
-
     @BeforeEach
     protected void beforeEach() throws Exception {
         super.beforeEach();
-        this.seedUserRoleAudits();
+        this.seedUserRoleAudits(Instant.now());
     }
 
     @Test
@@ -181,23 +181,4 @@ void fetchRolesSuperUser() throws Exception {
         assertEquals(6, res.size());
     }
 
-    private void seedUserRoleAudits() {
-        this.userRoleAuditRepository.deleteAllInBatch();
-        Role network = this.roleRepository.findByName("Network").get();
-        Role research = this.roleRepository.findByName("Research").get();
-        Role mail = this.roleRepository.findByName("Mail").get();
-
-        //paul.doe@example.com
-        User inviter = this.userRepository.findBySubIgnoreCase(INVITER_SUB).get();
-        //ann.doe@example.com
-        User guest = this.userRepository.findBySubIgnoreCase(GUEST_SUB).get();
-
-        UserRoleAudit auditNetworkInviter = new UserRoleAudit(network, inviter);
-        UserRoleAudit auditResearchInviter = new UserRoleAudit(research, inviter);
-        UserRoleAudit auditResearchGuest = new UserRoleAudit(research, guest);
-        UserRoleAudit auditMailGuest = new UserRoleAudit(mail, guest);
-        doSave(userRoleAuditRepository, auditNetworkInviter, auditResearchInviter, auditResearchGuest, auditMailGuest);
-    }
-
-
 }